Skip to main content
January 11, 2016

Toying with the Broken Window Theory

High-tech toymaker VTech recently made headlines when they announced they’d been the victim of a significant cyberattack. Personal account information associated with over 10,000,000 of their customers were compromised in the attack, including over 6 million profiles tied to the children using their toys. 

When I got word of this incident, I immediately thought back to a presentation my colleague, Erik Peterson, gave last year on the Broken Window Theory.

Broken Window Theory (BWT) was popularized in New York City during the 1980s, a time when crime rates were exploding, and leaders were struggling to determine how to reverse the trend. Essentially, BWT posits that the more a neighborhood shows signs of decay (graffiti, litter, and the eponymous broken windows), the more likely it is that serious crime will follow. By ignoring ‘the little things,’ we create a snowballing culture of apathy that leads toward ‘the bigger things’ becoming an everyday occurrence.

Like many malicious actors, the individual responsible for the VTech attack acted opportunistically, using ‘broken windows’ as signposts to determine where, and how, to strike. A recent Vice interview with the hacker notes:

[Info on Vtech from an online forum] got the hacker curious. In the following weeks, he “browsed around” until he found one of the many VTech websites, The hacker noticed that the site was using Flash, and had a login box. He then quickly found out the site was vulnerable to the ancient, yet still very effective, hacking technique known as SQL injection.

The same attack technique used to infiltrate TalkTalk, Bell Canada, and several other enterprises over the past few years had led to VTech customer information, including users’ home addresses and photos of their children, being distributed across the world. In 2012, Barclays estimated that SQLi played a part in 97% of data breaches. Last year’s Verizon Data Breach Investigations Report found that SQLi was leveraged in 80% of attacks against web applications in the retail industry, and better yet, described web applications as ‘the punching bag of the internet.’

If you knew that 4 out of 5 homes in your neighborhood were broken into due to a faulty window latch, would you; 1) call a repairman and ensure your windows were safe, or 2) say, “Eh, too late now! Hopefully, they skip us and head to the next house!”?

Unfortunately, even at many of the world’s most security-conscious organizations, the attitude behind answer #2 is more pervasive than you’d think. It’s the result of a perceived (sometimes real) lack of resources, scale, and accountability.

Erik notes three key tenants from BWT that help NYC improve their crime problem, each of which struck a chord with me as they relate to how Veracode helps our customers tackle the application security problem.




Improve the environment


Fix the broken windows, remove graffiti, etc.


Through our Web Application Perimeter Monitoring service, organizations can identify ALL web-facing websites on their perimeter, and assess that perimeter for vulnerabilities like SQLi.  Within a matter of weeks, if not days, our customers are able to take this information and work with Veracode to remediate the vulnerabilities posing the biggest threat to the business. Along with remediation work, WAPM helps IT leaders to identify and decommission ‘ancient’ (in Internet years, at least) websites, running on the sort of technologies that lead the VTech hacker to his ‘prize.’

Rapid, persistent response


Address the re-introduction of decay quickly and diligently.


By partnering with Veracode to integrate a culture of security within a developer’s day-to-day activities, organizations can proactively find and fix software vulnerabilities, where it’s at least 6x less expensive to fix flaws, when compared to rewriting an app already in production.


Make it personal


More police patrolling on foot, speaking with citizens in a human way, rather than simply rolling by in their squad cars.

The ‘scan and scold’ cadence of yesteryear has led many developers to turn a deaf ear towards their security team, and limited their openness to understanding the importance of protecting their company and its customers. Veracode has understood this tension since our inception, which is why we connect your developers with a team of former developers who have become experts in secure coding. They help customers realize that security, ‘Is only new and scary, until it’s not,’ and create a degree of accountability, by making the vulnerabilities they’ve written feel tactile, with real-world consequences.

Remember, security is a journey, not a destination, and it’s a journey that requires shared responsibilities, care, and effort.

Rob helps software vendors leverage Veracode’s fundamentally unique approach to solving the application security problem, enabling them to more effectively address application-layer risk, and ensure they can use their commitment to security as a competitive differentiator in the marketplace. When he isn’t working with clients, Rob can typically be found at concerts around Boston, or the nearest Taco Bell (yep, you guessed it…he’s a health nut!).

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.